A memory disclosure vulnerability "Optionbleed" was reported on the Apache Server. This vulnerability is caused by a use-after-free bug in the httpd application. A remote attacker can send a certain crafted HTTP OPTIONS request and reveal small chunks of server memory, causing sensitive information leakage.

The cause of this vulnerability is on the .htaccess configuration file. When the Limited directive is set for a user for a HTTP method that is not globally registered in the server, then a memory corruption vulnerability is triggered. According to Hanno Bock, discoverer of this vulnerability. Below is one example of the memory leak:

The leaked data looks quite similar to the critical vulnerability "HeartBleed" on the OpenSSL Library in Apr 2014, although the data chunck is much smaller than HeartBleed's 64kb. Also there is no way to distinguish normal and attack traffic, makes this attack hard to detect.

A massive on the Alaxa top 1 million websites shows that 466 servers has misconfigured the .htaccess file and sent back odd responses with an Allow header containing what appeared to be corrupted data.

Now Apache server will deny the new methods appeared in .htaccess file.

We recommend Apache users upgrade their server with the latest patch as soon as possible, and also check the LIMIT section under the .htaccess to prevent the vulnerability. SonicWall has also developed the following signature to identify and stop the attacks: